This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exchange Edge Transport with TMG

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi,

I guess firstly im trying to understand the different ways you can have your anti spam filter e-mail server in the DMZ listening for e-mails setup. From what im reading on the internet there are many different ways you can have it setup and it seems there is no right or wrong answer.

For instance ive read that if your using TMG you can have TMG, Forefront for Exchange and the Edge server all setup and running on the same server as a multi layer effect.

What im wondering is if im using something like TMG is there any need to install the Edge Transport. Im thinking that if im using TMG to filter i can have a subscription setup from this straight into the internal Hub Transport server from the single server just running TMG.

Il explain why im asking and this may help someone give me a better understanding or explanation. I am by know means an Exchange or TMG expert so i apologise if some of this doesnt make sense.

I will shortly be helping with an office move and the current setup is very messy, a server in the DMZ with TMG, Edge Transport & Forefront for Exchange all installed onit handles incoming e-mail. However the e-mail filter feature is disabled on TMG and the Forefront for Exchange just handles the anti spam side of things, which then obviously pushes these through to the Edge Transport then onto the Hub on our internal network.

The idea is to get a new server setup out on the DMZ at another location just running TMG, preconfigured and then one weekend we can just move the Exchange server up to this location, change the MX records to point to this new server in the DMZ and then obviously tell this server the new IP that will be given to the Exchange server at its new location.

Any thoughts or suggestions from any well experienced Exchange experts would be much appreciated

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Microsoft doesn't typically promote the use of TMG as a mail 'filtering' product. It's really just used to publish the web services.

Although Edge servers don't exist in Exchange 2013 anymore, you can use Exchange 2010 Edge servers for the purpose of performing all manner of mail filtering if you so wish. Adding on Forefront for Exchange can give you a great deal of filtering and antispam capabilities that you don't have out of the box.

Things have however changed as of late since E2013 no longer has Edge (as mentioned above) and the move from FOPE to EOP means that Directory Based Edge Blocking (DBEB) is no longer supported. TMG is also no longer being sold, but has extended support until 2020. Based on the latest Exchange Team Blog post, we're not even using TMG anymore in the Microsoft Exchange 2013 deployment as the product is being built from the ground up to be 'secure'.

So what am I getting at?

1) You basically may not need TMG nor Edge servers anymore in the near future, assuming you wish to have some form of antispam (EOP) and you're not worried about DBEB, and you're deploying E2013.
2) The communique I have form the EOP team, is that customers that have been using DBEB have seen an increase in SPAM coupled with RFC SMTP Compliance issues and Missed Emails. If you accept these conditions, then the Edge server would be relegated to simply performing DBEB whilst EOP can be relegated to performing antiviral and antispam duties (it is also possible to configure a "sort of" DBEB on Exchange Transport roles to silent drop messages).
3) If you do not wish to use EOP or a third party device, then the Edge server with full features enabled, would be the alternative choice rather than using TMG.
4) If you're running E2010, then keep using TMG to publish the web services (as it gives you greater control over Forms Based, or Certificate and other publishing methods).
5) If you're using E2013, you may find that you can forego using TMG.
6) The Product Group doesn't really like the idea of running TMG on Exchange or Lync Edge servers, but if you get an appropriate supportability statement from Premiere, then hey, why not

But a transition would probably work best if you had a new TMG and a new Edge server in the new location, and then simply moved all services over in one go when things are ready. Load Balancers and proper weighting can help in this. Preparing, but not enabling connectors also helps out. Of course make sure the new site has sufficient GC computing power as well, and prepare your Edge Subscriptions.

Thanks for your reply Shinigami. I should have mentioned in my post that were running E2010 and also were aware that TMG is coming to an end. However we haven't got the time or resources right now to change our setup as were moving office and compared to the other services we offer which we are having to migrate the whole Exchange setup isnt going to get the attention it needs. So the general plan as mentioned before is just to get TMG setup at another site and then move the Exchange server there on a weekend and make the adjustments that are needed on the day.

I have seen alot of posts where people have deployed TMG, Edge and the Forefront for Exchange all together as they've all got there own functions. Isit actually possible to just have TMG setup by itself though? As when im looking inside TMG im seeing that under the e-mail policy settings it has a spam filter and a Virus & Content Filtering section which is what is required so my thinking was to have these enabled and then setup some sort of transport through TMG to the internal Exchange server. I guessing i must be missing something as im looking at TMG and thinking it fits the bill for doing everything thats needed however i only seem to be able to find articles across the internet where people mention that they have just TMG deployed alongside the edge and Forefront applications.

Ive only found a sniff online of some people mentioning that they have TMG setup with an SMTP relay to there internal Exchange without any need for the Edge Transport but no real instructions of how exactly they have it setup or whether there then using the functions in TMG for filtering etc.

Im just thinking if TMG can fit all then i would rather just have this installed managing not only the spam,virus and content filtering but then the forwarding of mail onto the Hub.

I'm not an expert in TMG. I've never heard that it was possible to do SMTP virus/spam scanning using TMG.
I wonder how this would work, i.e. where do you get the signature files to render TMG a mail scanning product?

I could see it becoming possible if it somehow clicks-in with Forefront for Exchange installed on a Hub Transport or Edge Transport server (as this is where the real 'magic' in terms of viral and spam scanning is done).

Perhaps a standalone TMG server is uncapable of doing mail scanning and it seems you haven't had much luck finding out more about this, and I just don't know as I've never seen this either. Sorry

As far as use of TMG goes, we really just use it to publish web services.

I believe with ISA, there was a way to relay SMTP inside/outside, however in TMG, there does not seem to be a way to do it, at least not that I know of. Like Shinigami mentioned, publishing web services like OWA is what I'd expect it to do. Here's a link to the ISA page regarding SMTP relay. Couldn't find the same thing for TMG unfortunately.

Thanks for your help anyway, in the end ive gone for what i can see mostly on the internet as the way to do it which is TMG, Edge Transport & Forefront all on one server and you were right Shinigami TMG clicks in with the other two programs and you can manage the whole configuration between the 3 applications from TMG.

I continued to look for a way to use TMG just by itself as i did find people mentioning it but without any real details of how. But when i was going into TMG and going through the E-mail policy wizard it was asking me to installed the two above programs before this was possible.

CertForums.com is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco®, Cisco Systems®, CCDA™, CCNA™, CCDP™, CCNP™, CCIE™, CCSI™; the Cisco Systems logo and the CCIE logo are trademarks or registered trademarks of Cisco Systems, Inc. All other trademarks, including those of Microsoft, CompTIA, VMware, Juniper ISC(2), and CWNP are trademarks of their respective owners.